Update admin/overview to link to my server's specific security scan results

[mjmccarn]

How to use GitHub

• Please use the 👍 reaction to show that you are interested in the same feature.
• Please don't comment if you have no relevant information to add. It's just extra noise for everyone subscribed to this issue.
• Subscribe to receive notifications on status change and new comments.

Is your feature request related to a problem? Please describe.

• I keep a record of the nextcloud scan results URL for each of my servers
• I update the security scan results after each server update in case new technologies have introduced any recommended changes for my server configuration
• More admins would follow this practice if the scan URL from admin/overview went directly to the specific results for each server.

Describe the solution you'd like "our security scan" on the admin overview page should link directly to the server's results

This can be done by:

1. Add a config variable in config/config.php to hold the scan results details
2. Update apps/settings/templates/settings/admin/overview.php to include the scan results details if configured
3. Update occ support:report to consider 'scanresult' a sensitive value (not covered here)

Proof of Concept

• config/config.php (for this proof-of-concept I included "/results/" in the config.php setting for 'scanresult', but this feels a bit kludgy...)

  'scanresult' => '/results/my-server-specifc-scan-result-id',

• apps/settings/templates/settings/admin/overview.php

• <?php print_unescaped($l->t('Check the security of your Nextcloud over our security scan ↗.', ['https://scan.nextcloud.com']));?>`

• <?php print_unescaped($l->t('Check the security of your Nextcloud over our security scan ↗.', ['https://scan.nextcloud.com'. \OC::$server->getSystemConfig()->getValue('scanresult')]));?>

Optimally

• the value of scanresult would be only the unique server identifier, not the entire URL as I have done above
• the text of the message would change if 'scanresult' is configured

Suggested alternative language:

• If "scanresult" is

  • configured (non-blank)
  • appears valid (36 character hex value in 5 segments - af3a7d24-4033-4dca-8b05-52bd28c39382

• then the message would change to Check and update your [Nextcloud security scan results ↗] (https://scan.nextcloud.com/results/[value-of-scanresult-from-config.php])

• OTHERWISE use the current language: Check the security of your Nextcloud over [our security scan ↗] (https://scan.nextcloud.com/).

Describe alternatives you've considered This could also be addressed by making changes to both the web server at scan.nextcloud.com and the admin/overview hyperlink to securely pass a servername value (perhaps overwritehost) to the scan server search box

[joshtrichards]

Hi @mjmccarn - Interesting idea, but:

More admins would follow this practice if the scan URL from admin/overview went directly to the specific results for each server.

Do you really think admins that aren't inclined to type their own URL in at https://scan.nextcloud.com after clicking the existing link are going to jump through an extra setup step to add the special UUID? I have my doubts. :-)

I do think being able to direct link to an auto-filled in target URL field and/or call the underlying scan.nextcloud.com API would be a convenient addition. Unfortunately overwritehost isn't always in-use (configured), and there could be multiple trusted_domains so we'd probably guess the "right" external URL about as much as we'd guess it wrong.

[mjmccarn]

Do you really think admins that aren't inclined to type their own URL in at https://scan.nextcloud.com after clicking the existing link are going to jump through an extra setup step to add the special UUID? I have my doubts. :-)

Actually yes, I do.

The difference is between taking an extra step once, when time permits, vs taking an extra step over and over and over - sometimes when time pressure is high.

My nextcloud upgrade procedure requires me to update (and record) the scan results with every point-level upgrade. Since the scan became available I have only missed re-scanning when time pressure got in the way.

[joshtrichards]

Fair enough. Can you send along your proof of concept as a PR so it can be considered for merge? Doesn't have to be perfect - it'll get reviewed and we won't be shy about making suggestions. :-)